Solved: Trying to pass time range to the splunk search in ...

nithin204 · ‎02-12-2024

Hi All,

I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard

<form version="1.1">
<label>test12</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>test12</title>
<table>
<search>
<query>index=_internal status=* sourcetype=splunkd
|lookup test12 name AS status OUTPUT value | stats count by value</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<set token="drilldown_srch">index=_internal status=* sourcetype=splunkd |lookup test12.csv name as status output value | where value=$row.value$</set>
<link>search?q=$drilldown_srch|u$</link>
</drilldown>
</table>
</panel>
</row>
</form>

I tried adding the time variables in the link as below but no luck

Thanks

gcusello · ‎02-13-2024

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎02-12-2024

Hi @nithin204,

what's the error you have?

anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation for &, you must use &:

<link>search?q=$drilldown_srch?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

Ciao.

Giuseppe

nithin204 · ‎02-13-2024

Hi @gcusello ,

I have to use the second $ as well after drilldown_srch as that is token.

<link>search?q=$drilldown_srch$?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link>

If I skip the second "$" after the drillwon_srch, and if I click the value the new search opens as $drilldown_srch in the search bar in new window.

If I use the $drilldown_srch$ , the search is working correct but it is not taking the time variables. It always have a default of 15mins.

Thanks

gcusello · ‎02-13-2024

Hi @nithin204,

the way to pass a parameter to a drilldown is the one I described, please try this:

<link>search?q=$drilldown_srch|u$$&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>

anyway, usually a drilldown search takes the same time variables of the original.

Ciao.

Giuseppe

gcusello · ‎02-13-2024

Hi @nithin204 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Trying to pass time range to the splunk search in drilldown table to open in a new window

Classic dashboard

drilldown

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!